修复中控
This commit is contained in:
+41
-2
@@ -9,7 +9,15 @@ import json
|
||||
import time
|
||||
from functools import wraps
|
||||
|
||||
from flask import current_app, get_flashed_messages, jsonify, redirect, request, session
|
||||
from flask import (
|
||||
current_app,
|
||||
flash,
|
||||
get_flashed_messages,
|
||||
jsonify,
|
||||
redirect,
|
||||
request,
|
||||
session,
|
||||
)
|
||||
|
||||
from hub_auth import request_allowed
|
||||
from hub_sso import safe_next_path, verify_hub_sso_token
|
||||
@@ -109,9 +117,32 @@ def install_on_app(
|
||||
"views": views,
|
||||
}
|
||||
install_hub_embed_headers(app)
|
||||
configure_hub_embed_session(app)
|
||||
register_hub_routes(app)
|
||||
|
||||
|
||||
def configure_hub_embed_session(app):
|
||||
"""HTTPS 跨域 iframe 内嵌时须 SameSite=None + Secure,否则 hub-sso 写入的 session 会丢失。"""
|
||||
import os
|
||||
|
||||
allowed = (os.getenv("APP_ALLOW_HUB_EMBED") or "true").strip().lower() in (
|
||||
"1",
|
||||
"true",
|
||||
"yes",
|
||||
"on",
|
||||
)
|
||||
if not allowed:
|
||||
return
|
||||
secure = (os.getenv("APP_COOKIE_SECURE") or "").strip().lower()
|
||||
if secure not in ("1", "true", "yes", "on"):
|
||||
return
|
||||
app.config.update(
|
||||
SESSION_COOKIE_SECURE=True,
|
||||
SESSION_COOKIE_SAMESITE="None",
|
||||
SESSION_COOKIE_HTTPONLY=True,
|
||||
)
|
||||
|
||||
|
||||
def install_hub_embed_headers(app):
|
||||
"""允许复盘中控 iframe 内嵌打开本实例(须与 hub 的 HUB_EMBED_ORIGINS 或域名一致)。"""
|
||||
import os
|
||||
@@ -286,10 +317,18 @@ def register_hub_routes(app):
|
||||
return redirect(safe_next_path(next_arg))
|
||||
ex = str((_ctx().get("exchange") or "")).strip().lower()
|
||||
token = (request.args.get("token") or "").strip()
|
||||
ok, next_path, _err = verify_hub_sso_token(token, ex)
|
||||
ok, next_path, err = verify_hub_sso_token(token, ex)
|
||||
if ok:
|
||||
session["logged_in"] = True
|
||||
session.modified = True
|
||||
return redirect(next_path)
|
||||
hint = err or "校验失败"
|
||||
flash(
|
||||
f"中控 SSO 未生效({hint})。"
|
||||
"请确认中控与实例 .env 中 HUB_BRIDGE_TOKEN 一致,"
|
||||
f"且中控设置里该账户 key 为「{ex}」。"
|
||||
"直链实例地址仍需输入 APP_PASSWORD。"
|
||||
)
|
||||
return redirect("/login")
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user